On 26.04.2011 04:47, Mihira Fernando wrote:
On 04/26/2011 12:24 AM, Dimstar / Dominique Leuenberger wrote:
On Fri, 2011-04-22 at 18:26 +0530, Mihira Fernando wrote:
On 04/22/2011 06:06 PM, Sandy Drobic wrote:
On 22.04.2011 06:37, Mihira Fernando wrote:
On 04/22/2011 04:09 AM, Jim Flanagan wrote: Port 25 is for non SSL SMTP traffic. You cant expect it give you a SSL connection. Port 465 is the SSL port for SMTP. This should be opened from postfix master.cf. Your information is outdated, port 465 is the deprecated SSL-Port. If the client sends the EHLO command instead of the HELO, then the server can offer STARTTLS in its capabilities to the client. That initiates a TLS encrypted connection. True but so far the defacto standard is that port 25 is used not non encrypted SMTP traffic. Running SSL or TLS only on port 25 is likely to cause your server to loose mail as MTA - MTA mail delivery is still largely non encrypted. This is incorrect: tcp/25 can be TLS encrypted. TLS OPTIONAL of course, if your server needs to receive mail from other servers (so if your SMTP is a receiving Server).
There is hardly ANY Server out there still using SSL directly.
The usual thing for TLS OPTIONAL is to issue an ehlo, check for a starttls command and issue it, changing to TLS.
Dominique
So exactly what in my statement earlier is incorrect ?
Your assumption was that encryption is mandantional and thus responsible for rejecting mails that should be accepted. This is not the case with STARTTLS. STARTTLS is an OPTION for the client. The reason for this is downwards compatibility. A client may use HELO and deliver mails without encryption, a client may use EHLO and MAY use STARTTLS to encrypt the connection. On the other side you may apply policies on your server like - only allow mails from certain domains when the connection is encrypted - only allow SMTP AUTH when the connection is encrypted ... Port 465 is only useful for internal servers when the mails are sent from an internal backend and the transport is set manually including the port. For some strange reasons Domino does check port 465 when attempting to deliver mails, though it could be a configuration upgrade problem since our system is rather old and has seen quite a lot of version upgrades. Sandy -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org